Modern messaging systems and collaborative environments, such as Lotus Notes, are dispatched across large enterprise systems as a distributed application. Messaging accounts or IDs are typically assigned to one particular server. Traditionally, to communicate with a set of receiving clients, the sender of a message would need to delineate all client IDs in the message header. A typical message header would include the following address fields.                From: sid        To: rid-1, rid-2, . . . , rid-n        Cc: rid-n+1, . . . rid-n+m        Bcc: rid-n+m+1, . . . rid-n+m+k        
The prior art messaging format is not only cumbersome, but it also exposes the IDs of each recipient to all other recipients, with the exception of the “blind carbon copy” field (the <Bcc:> field). A recipient replying to the sender and to all receivers would send a message to the <From:>, <To:>, and the <Cc:>, but will not be able to see and reply to <Bcc:>. While the <Bcc:>feature ensures that the sender can inform recipients of matters without exposing their identity, relevant feedback may not be provided to all appropriate parties.
One way to eliminate the problems associated with the above-described approach is to utilize a group concept. The group concept can be implemented in one of the following three ways:                (a) the sender maintains a group name that is associated with a list of recipients, whereby the messaging client software replaces the group name issued in the <To:>, <Cc:>, or <Bcc:> sections with the list of recipient IDs;        (b) the sender and recipients utilize a global messaging resource such as a mailing list, which is a special mail ID which reflects all messages sent to it to the members that have subscribed to the mailing list; or        (c) the messaging client does not replace the group name in the recipient list; however, the sending software, identifies the recipients and sends them the message, with the group name still showing up in the recipient field.        
There are disadvantages to all three of the group messaging approaches. In (a), the IDs of recipients must be exposed to all recipients to enable the recipient to reply. If a <Bcc:> section is utilized those IDs are not sent to the recipients, hence they cannot receive any reply. In (b), the anonymity of the recipients is maintained during a sequence of message transmissions where the initial message and all replies to it are sent to the mailing list which then reflects them to all subscribers. The group members need to be added to the mailing list by themselves or by a central administrator with appropriate privileges. With the mailing list, however, it is difficult to create the messaging group that is defined with the semantic context, the management domain, and the naming scope of the individual messaging user account in a highly dynamic way. As a result, it is too cumbersome to use the mailing list as the per-account messaging group mechanism. In (c), the anonymity of the recipients is maintained as well; however, the recipients are unable to respond to the group since the group is defined only in the sender's context and does not bear meaning in the recipients' contexts.
To summarize, in (a) and (c) above, the group has the naming scope only in the local context of the original sender, and as a result, either the identity of the group members is not kept anonymous, as in (a), or successive reply message exchanges within group members are not possible, as in (c). On the other hand, in (b), an anonymous group messaging method is provided, but only with the introduction of the special group IDs having non-local, or global, naming scope as the per-account messaging group mechanism. The use of the global mailing list for per-account messaging account makes the naming and the membership definition difficult. In an enterprise messaging environment, for example, a local messaging group “managed by” can be defined per messaging user account representing the messaging users who are managed by the user account. Such grouping mechanism is based on the relationship between the group owner and the group members. Moreover, the group membership determined by the relationship is highly dynamic in nature—the group members are dynamically determined according to the attributes of the group members. The prior art mailing list does not support the notion of the group owner nor the relationship of the group members to the group owner. In order to emulate per-account message groups by using the mailing list, it would be required to have a prohibitively large number of mailing list accounts and to make virtual associations between the messaging accounts and the mailing lists. This method would incur resource usage overheads and administrative burdens.
Although there exist prior art approaches that provide secrecy of message contents or anonymity of group members on the sender side, none of them provides the capability of anonymous group messaging whereby anonymity of group members is kept throughout the entire lifetime of group message exchange; none provides seamless continuation of message exchanges which is maintained through simple replies to the original group message; and, none provides access control that defines the capability of sending, replying to, and receiving group messages according to role models of the participant. The foregoing, therefore, are objectives of the present invention.
U.S. Pat. No. 6,266,420, of Langford, et al, entitled “Method and Apparatus for Secure Group Communication” provides the notion of the group public key and the group private key. In the patented method, the sender encrypts the symmetric key once per group using the group public key. A recipient uses the group private key to extract the symmetric key from the wrapped symmetric key encrypted by the sender. As a result, the approach eliminates the computing overhead and storage/transmission overhead of previous approaches which perform encryption, transmission, and decryption of the symmetric key multiple times, one per each receiver. However, this prior invention only focuses on the secrecy of the message contents in group communications. On the other hand, it is desirable to focus on the anonymity of the recipients, too. It is not practical to enforce anonymity by using the symmetric and asymmetric keys, as in the prior art, since all the message routers or exchangers en route from the sender to the recipients decipher the recipient information to further route the message.
In another prior art approach, detailed in U.S. Pat. No. 6,256,733, of Thakker, et al, entitled “Access and Storage of Secure Group Communication Cryptographic Keys”, group credentials required in secure group communication systems are dynamically administrated for enhanced manageability. Each group member can generate security credentials, can store them in a repository that can be accessed by multiple parties, and can retrieve a portion of them. Means of membership management are also provided to cope with the case of member addition and deletion. The patented method also focuses on the secrecy of the message contents and not on the anonymity of the recipients.
Japanese Patent Publication JP2001-339381, entitled “Anonymous Recipient Information Delivery System and Delivery Method”, tries to keep both the secrecy of message contents and the anonymity of the correspondents at the server side. To maintain secrecy, the server transmits the encrypted message using the public keys of the clients. Since the public key itself can become a means to extract identity information of clients, a gateway is provided to relay messages between the server and client, whereby the server does not manage the public keys of clients but the gateway manages the public keys. The gateway randomizes the public keys when it communicates with the server, so that the identities of clients are kept concealed. The gateway then relays the message from the server to the clients. The gateway should transform the message encryption from one using the randomized public key to one using the original public key of the individual client. This prior art intends to provide anonymity, yet, it provides anonymity from third parties and not among recipients. Moreover, the requirement for a special gateway for transformation is burdensome and introduces a high computational overhead. Finally, the prior art approach does not provide a means for a client to reply to a group message without knowing the recipient's individual identity.
Japanese Patent publication JP201-186169, entitled “Electronic Mail Management System and Recording Medium for Storing Electronic Mail Management Program”, provides a way of dynamically creating sub-mailing list within a mailing list according to the membership information of subscribers in order to deliver electronic mails of local interest only to the group of subscribers in the sub-mailing list. When a client subscribes to a mailing list, a client may not want to receive all of the messages on the mailing list, since there may be multiple independent topics being discussed in the mailing list and the client may be indifferent to some of those topics. The cited Japanese patent publication facilitates the creation of sub-mailing lists within a mailing list and the creation of sub-mailing lists out of the predefined sub-mailing lists in the whole list. While this prior art provides a way to limit the delivery of messages to a subset of the original group, it does not provide a means of enforcing anonymity of recipients of the message. Although it can be said that limiting message delivery only to the sub-mailing list is a form of a secrecy provision, it does not provide content secrecy or recipient anonymity among recipients and on the wire.
Japanese Patent publication JP2001-160007, entitled “Electronic Mail Device” suggests a group mailing system that can automatically fill in the recipient addresses from a predefined group of addresses if the corresponding recipient names appear in the message body in order to improve operability and to eliminate possible input errors. Because this prior art approach does not address anonymity issues in the group communication environment, it does not provide the needed solution which is an object of the present invention.
Hence, what is needed, and is an objective of the present invention, is a method of collaboration and message exchange that is flexible and is based on per-account group definition without the need for a centralized, global messaging account resource.
A further objective of the present invention is to provide a method and system which maintains the anonymity of the recipients from other recipients and enables a recipient to reply to the sender and the group members, without knowing their identity by utilizing the group name provided in the original message.
Another objective of the present invention is to provide a method and system for anonymous group messaging whereby anonymity of group members is kept throughout the entire lifetime of group message exchange, providing seamless continuation of message exchanges through simple replies to the original group message.
It is also an objective of the present invention to provide the foregoing with access control that defines the capability of sending, replying to, and receiving group messages according to role models of the participant.